Approved Provisional Measure Creating the National Data Protection Authority in Brazil

On December 27, 2018, Provisional Measure No. 869 was published in the Official Gazette, amending Law No. 13,709/2018 (the “General Data Protection Act” or “GDPA”) creating the National Data Protection Authority. This is very important news, since the authority plays a fundamental role in the enforcement of the law, as well as providing legal certainty to support controllers and data processors in their doubts regarding compliance with legislation.

In addition to the creation of the Authority, some other changes in the law were promoted, among which we highlight the ones below:

  • The effective date of the GDPA was postponed to August 18, 2020, but the provisions concerning the creation and organization of the National Authority and the National Council for the Protection of Personal Data and Privacy have already entered into force today.
  • Article 3 of the GDPA has been amended to make it clear that any of the following activities are subject to legal regulations, namely: (i) the processing carried out in Brazilian territory; (ii) if the purpose of the processing is the supply of goods or services rendering, or, yet, in case of processing of data subjects located in the national territory; or (iii) the personal data subject to the processing have been collected in the national territory.
  • The definition of data protection officer was changed to “a person indicated by the controller to act as a channel of communication between the controller, data subjects and the National Data Protection Authority,” apparently dismissing the need the data protection officer is a natural person (although interpretation of this provision will be subject to debate in the course of law enforcement).
  • The definition of “national authority” has also changed, so that it may be a federal public administration body, a member of the Presidency of the Republic, responsible for overseeing, implementing and monitoring compliance with the GDPA (the previous language established that it would necessarily be an indirect administration entity). This implies a greater control of the State on the activities carried out by the authority, noting that it also supervises the processing of personal data by the public power.
  • The Provisional Measure expressly provided technical autonomy to the national authority and established the composition of the National Council for the Protection of Personal Data and Privacy, including members of the Executive, Legislative and Judiciary Branches, as well as the Management Committee for the Internet in Brazil, civil and business sectors.
  • The Provisional Measure established the competence of the National Authority, such as for (i) ensuring the protection of personal data; (ii) editing norms and procedures on the protection of personal data; (iii) deciding, at the administrative level, on the interpretation of the GDPA; (iv) requesting information from the data controllers and operators; and (v) supervising and applying sanctions, among others.
  • Provisional Measure No. 869 now allows the communication or shared use among controllers of sensitive personal data related to health in order to obtain an economic advantage in case of need for communication for the adequate provision of supplementary health services, besides the hypothesis of portability of personal data when authorized by the data subject (article 11, paragraph 4).
  • The review of decisions taken solely on the basis of automated processing of personal data that affect the interests of data subjects (such as the definition of professional profile, consumption, credit, etc.) will not need, necessarily, to be made by a natural person, as required in the previous version of the GDPA (Article 20). Therefore, such decisions can, apparently, be reviewed it by artificial intelligence.

As mentioned, Provisional Measure No. 869 came into force today, December 28th, 2018 and Demarest’s Cybersecurity Team is at your service to clarify any doubts.